A newly uncovered bug that could have leaked passwords, credit card digits and more at millions of websites should be a wake-up call to Internet users: That oft-repeated advice to change your passwords regularly should be heeded.

Like, now.

The bug, ominously called Heartbleed, could affect two-thirds of the world's websites. It's particularly nasty because it strikes encryption technology used to protect data – it's exposing precisely the type of information most people want desperately to keep private.

If you've ever bought anything online and been comforted by the "https" in the URL and the little padlock icon, your faith might have been misplaced. The bug affects OpenSSL, the most popular cryptographic library meant to keep safe the information you type into supposedly secure sites.

"It makes you think maybe this isn't the answer – to do everything online, having all of your payments stored in a cloud," said Jay Baer, a marketing consultant and author of "Youtility: Why Smart Marketing Is about Help Not Hype."

But, he added, "It's hard to imagine the genie going back into the bottle."

So what sites were actually compromised? It's impossible to tell. An attack exploiting the bug would leave no trace, and the security researchers who uncovered the problem earlier this week – Finland-based Codenomicon and Google Security – say the vulnerability has existed for two years. (More information is at heartbleed.com.)

Mashable, a tech-news site, has compiled a Heartbleed hit list that includes Yahoo, Turbo Tax, OKCupid and Drop Box. Plenty of big companies on the list are marked as "unclear," in part because some businesses refuse to say whether they use OpenSSL or another variant.

"Our policy is not to comment on our security procedures, and that will continue to be the case," said Jim Sluzewski, spokesman for Cincinnati-based Macy's said. Sluzewski also said Macy's sites "have not been impacted at this time."

Spokesman Sean Parker of Fifth Third Bank, which is headquartered in Cincinnati, said: "We don't disclose what we use, but we are not vulnerable."

Some big payment-based sites apparently were not affected, such as Amazon.com, PayPal and Target.

Tech experts say changing your passwords now is a good start. (A post on the popular blogging platform Tumblr goes so far as to suggest "this might be a good day to call in sick and take some time to change your passwords everywhere.")

But one password change might not be enough: Some of the websites are still working on fixes, meaning your new information could still be immediately vulnerable. That means you should change your passwords again once the leak is plugged.

Duke Energy, the dominant utility in the Cincinnati region, is encouraging password changes even though no abnormalities have been detected in its network.

"We always recommend to employees and customers, just as good practice, to change account login information on a frequent basis," said Sally Thelen, a Duke spokeswoman.

Experts say that in Heartbleed's wake, maybe it's time to rethink how much you put online, no matter how secure it appears.

"The more everything goes to the cloud and goes digital, the more vulnerability we all have," Baer said. "Everybody's psyched about convenience, but convenience sometimes comes with a price."

• Make passwords at least eight characters long, and include numbers, capital letters and symbols.

• Don't use easy-to-guess passwords such as pet names or dates of birth.

• Don't use dictionary words. Consider instead using a phrase and then shortening the phrase to the first letter of each word and using a symbol in place of a letter, such as $ for 's' or ! for 'i'. (Example: The phrase, "My sisters and I grew up in southern Alabama" could be shortened to M$&Igu!$A, which would be awfully tough to guess.)

• Beware of phishing attacks. Never click on links that ask you to log in, change your password or provide other personal information, as it might be a phishing attempt that gives your information to a hacker. This will compromise your passwords.